Talk:Over 8M Virginian patient records held to ransom, 30 Apr 2009

From WikiLeaks

Whoever did this will spend the rest of his life in Supermax prison, probably in solitary confinement. You really have to be stupid to try to extort money from a government entity, herds of FBI agents will be after you. 1.0.22.53 18:43, 4 May 2009 (GMT)

This cracker aint local

His buddies stole personal data from health services at uberkeley the week after the first breach at virginia government computer.

Doesn't make sense at all

The guy wants contact via a yahoo mailbox, serios? When all US providers have fiber bypass links direct to NSA? No matter how many proxies he used, the location will be pinpointed and he is probably being watched 7x24 as I write.

Otherwise the data set is not worth 10 million dollars, not nearly that much. This case isn't much of a story compared to the professional, low-profile, day-to-day activity of chinese and russian cyberspies, who steal a lot of sensitive and secret US data!

Pardon my ignorance, kind sir, but what exactly will the taps do if the emai was registered via TOR (www.torproject.org), and the mail is downloaded via tor only? Especially if the entire process of tor-registering and tor-checking the mailbox is done via some random open WiFi? /

What does make sense is the use of "hacker" to describe the script kiddies' antics, because he came back and stole data from uberkeley a week later.

I wonder who's gonna get junk mail now.

Really...

Does this idiot actually think he's going to get away with it?

well if he lives somwhere outside the us... russia, or some other of those lands, he could. Because thats a case for the FBI, and not the CIA --1.0.22.53 14:17, 5 May 2009 (GMT)

Yes, because he is not cracking those medical records out of those servers domestically.

Please ...

I would like to know why this public facing device had direct access to protected health information. With the HIPPA requirements shouldn't they be limiting access to this data to those that need access and not let just anyone bounce attacks off the webserver to see if something sticks?

Answer: Becasue the State of Virginia, or atleast this agency, is not following HIPAA? This is why they need to follow it, this is why enforcement is a good idea...

One More PLEASE ...

Until companies realize there will always be certain portions of the world population that want access to either their data or assets we will continue to see this issue. I have seen many instances of companies throwing a webserver on the internet without properly testing the os, webserver or applications for vulnerabilities. These devices will eventually become compromised and more often than not stay compromised until notified by a third party.

My point is if we know that our data and assets are valuable to someone then we should take certain measures to ensure the risks are minimized. If we place a device on the internet without properly testing it we have nobody to blame for our mistake. If we allow access to this device from anywhere on the internet when we only need access from certain ip addresses we have nobody to blame for our mistake. If we place sensitive information on these devices without performing these steps then SHAME ON US!

We should demand that proper precautions are taken to safe guard our personal data. When a breech of information occurs, questions need to be asked. These questions need not be in the form of "suspected punishment for the attacker". But more as to how this company is dealing with the data loss and what steps they will take in the future to prevent this.

Too many assumptions

It is common knowledge that many gateways to personal information are not totally secure and once security is implemented, often it is not reviewed and updated. This type of scenario will lead to everything being hacked over a long enough time line, even old data that could still be valuable to some party.

There are some assumptions being made that the FBI will be on this/these so-called hacker/s at some point, however that assumption is based on the perpertator being in the US. What if the perpertator is not in the US? The FBI does not have jurisdication in all countries.

It is going to be interesting to see how the authorities deal with this if they do not catch the perpertator/s and they do put the data up to the highest bidder. This could be a conundrum for authorities as they will have to presumably have a "no ransom" policy with data, just as they do with lives. However, the ramifications of them letting this information be sold are fairly serious. It is going to be an interesting case to watch unfold, who knows it could even set a precedent (unless one has already been set in the past).

This will happen again and again and again. Is any data secure? How the authorities deal with these types of incidents is going to be the key. They may even have to pay the ransom as the consequences of allowing this data to be leaked are too severe. Then they will spend all their resources on recovering the ransom and bring the perperators to justice, in this type of scenario will the "no ransom" policy change with regard to data. I, for one am watching this space - http://www.of-networks.co.uk/blog/hackers_ransom

Please resist calling this criminal a hacker, though.

Confirmation

I called the Virginia Department of Health and asked for the administrator of the Prescription Monitoring Program. She said this was being investigated by the FBI and the Virginia State Police. So, something happened, but I doubt that the particular "ransom note" posted here is genuine, unless the "kidnapper" is an 11 year old, or someone with a sense of humor. Maybe the "real" ransom note has not been released.

Gov.uk take note

National Identity Register: Real Bad Idea.

Missing backups are very hard to believe.

Database backups are kept in multiple locations, in multiple forms, and multiple stages. More specifically, a typical backup regime includes "online" backups that provide an ongoing mirror of the data for purposes of interruption free failover in case of, for example, a hardware crash or a power failure and also "offline" for the purposes of data restoration after a complete failure due to, for example, an unrecoverable hardware failure or a natural disaster.

Online backups may be on a different computer within the same server room, on a different server and different server room, but in the same larger location, or for more valuable data, the mirror may be operating several miles away, or even hundreds of miles away.

Offline backups may be "tape" backups, or backups to a removable medium (e.g., CD, DVD, bluray, etc.). The use of DLT tapes are very common. Data is commonly backed up once a day and then again weekly or monthly backups are made and actually sent physically "off site" with a provider such as Iron Mountain.

Thus, the claim that the backups are also missing is quite simply unbelievable. Potential explanations for the statement may include the following:

1) The letter is a complete hoax and the agency took down the server as a precaution;

2) The letter is real, but the threat about the backup is meant only to get attention and while the agency is able to easily confirm that the backups are not missing, they have declined to do so thinking that non-disclosure is best for their investigation;

3) The letter is real, and the cracker BELIEVES that he has deleted the primary data source and the "backup," wherein reality he has likely only deleted a connected mirror or other "online" backup copy, perhaps being ignorant of removable media backups;

4) There is a disturbing possibility that the cracker through either inside knowledge or just dumb luck has made a genuine threat about the backups and indeed, the agency is unbelievably negligent insomuch as they have failed to follow the most basic of backup procedures, and have not created any offline backups or sent any backups to off-site storage, which enable the recovery of data subsequent to a complete and total loss. This possibility is remote, but nevertheless plausible.

OMG fag!

He sounds like one of those immature American kiddies who always seem to appear when you play online games. When dad finds out, it'll be a clip round the ear!

Indeed, the perpetrator is a script kiddie, probably from China or Russia, with help from Bulgaria.

He's just advertising, lol

the ransom note is (obviously) an advertisement intended to let the potential buyer know that there is a database for sale.

Snooping for shadowy customers is usually hard.
Announce like this - and bingo, it's easy.

Also, I see no reason why hackingforprofit can not sell the database after collecting ransom (assuming he can collect the ransom without getting caught)

BTW, one has to wonder - how is he going to collect the money ANYWAY ? Because, to get money that are in the millions, one usually has to surface somehow...

Unbelievable!

Unbelievable the balls on this guy? He sounds either UNEDUCATED,or FOREIGN! Hes gotta know he is gotta get caught so i wont be surprised if this is the work of someone that lives both here and overseas, and he probably has already gotten the HELL out of the U.S. and is in some other country, probably ones that dont have fuguitve return agreements with the U.S so that where he goes/went after doing this, he can be proteced by that state without fear of being EXTRADITED (THATS THE WORD I WAS LOOKING FOR ABOVE! LOL!

Anyways i wanted to comment on what he says at the end of his random note, HERE:

WORDS COPY/PASTED from the Origonal

When you boys get your act together, drop me a line at hackingforprofit@yahoo.com and we can discuss the details such as account number, etc.

Until then, have a wonderful day, I know I will ;)

OK. FIRST OFF:lol he says "drop me a line" to me it sounds like hes TRYING TO HARD to use U.S Street Slang to make it look like someone with not much INTELLIGENCE ,Born and raised in this country did this, but i doubt that im sure he used tons of proxys and the address that was matched up to the URL prolly was another proxy, and by the time he hacked into the site,im sure he has already landed into whatever country doesnt have extradition laws with the U.S. as we speak.....Meaning IM SURE right as he did this,he had his shit packed and ready to leave the country,i think this guy is VERY SMART and used that type of language to make it look like it was a simple IDIOT in our own country, my belief from this conclusion is that is someone that is Anti-American, and could be the begining of what other internationalists against the US can do, this is probably just a test to see how we respond guys! Think outside the box cause our enemys sure as hell are, and in certain ways its working unfortunately! :-(

SECONDLY: WHen he says "Have A nice day,i know I will!" basically boasting. IF HE WAS JUST a punk teenager or young adult who LIVES HERE AND DID THIS,the morons gonna get caught REAL QUICK so he better enjoy his final day or two of freedom IF thats the case,but as ive said above I believe this is MUCH BIGGER then it looks and that the person behind it typed it up the way they did to throw our government off and make it look like a BORN NATIONAL of ours did it, when i betcha anything this was a planned test with SOME FRINDGE group or anti american cyber terrorist groups in europe,euro-asia and the Middle East. Thats my belief otherwise the "punk kid" if it truly was just a born national punk kid, would have been caught HOURS AGO!

So thats my belief on this issue, that they used the grammar and words they did to throw us off and that they are actually smarter then they put off ,this is my guess by doing some research on the web about these issues then carefully loking over the ransom note and other things about this case. That is my belief! This could be a test to see if our government cant respond properly,and if it doesnt, they may then try another 9/11 ,thats my fear and i hope we dont take this as a joke, that we take this seriously...WE DONT PAY the money, but still we need to open up our mind onto my theory if we are going to find this I-Terrorist!

To the morons who posted the ransom demand I say this: Do you honestly think that the money you seek will be paid? How can we trust that you're telling the truth about having those records in your hands, and even if you do, how would we know that you wouldn't misuse them after having been paid the ransom? Gmab! I hope the Feds catch up to you jerks and throw you in jail & toss the ##$@ key!

Nice

I would like to meet the person who did this. Seriously. How did you do it. Nice.
I'd like to talk w/you. If you are reading this: I think you can figure out how to communicate with me.
<Hack it?>